One of my favorite lines from one of my favorite bands (The Samples) is stuck in my head as I reflect on a new executive search that my team and I are about to kick off. The search discovery meetings are beginning tomorrow morning and I didn't get my usual 5 hours of sleep because I was pumped up and ready to begin the hunting process. We will be seeking another purple squirrel,* a security executive from a great company in the Valley or beyond. It is what consumes me and drives me. We look for every avenue to locate and build relationships with the very best and most rare executive technical talent. The excitement is tethered by other feelings of concern about how prepared the client will be and how the candidates will perceive the search. I know that the client is closing in on their calibrating but not there and the candidate pool is already looking far ahead in their career progression while contemplating their objections before we make first contact. This excitement and conflict is normal; I have had these feelings many times before. After all, it is the job that I love. But as I mature (depending on who you ask) and begin reflecting on life's lessons in this business I find myself often asking; “are we really progressing and learning from past lessons and mistakes, or are we just repeating the same themes and forgetting just enough to make things sound new and fresh?". Are we a 'traveling mass with a memory loss'? What does history say about that?
It was over 20 years ago that I was sitting in Professor Maloba's African History course at the University of Delaware (Go Hens!) when he explained that in Africa, as with most of the world, nationalism, government structures and even revolution are examples of history repeating itself. We see how new leaders and concepts rise on a platform of repetition, however, we don't always recognize this as a trend in the business, particularly in the technology recruiting space. Now in my 40s and a true Gen X, I recognize this trend of repetition more than ever in the search world; particularly over the past few years in searching for security executives and leaders. Are we truly innovating and producing new leaders for these new positions, or are we borrowing and repeating themes from previous technology trends and simply applying those themes to the new hot disciplines of 2016?
I moved to the Valley in 1996 and have been fortunate to have rewarding and challenging careers in both IT services and search. I have had a front seat in the excitement; chaos, multiple booms and busts, new technology concepts, new nomenclatures, and yes, plenty of repetition and reinvention. To have the perspective from the front row is both frustrating and necessary for the success in my business, but history has taught me to take a different perspective.
In recent memory
In 2010 if a software company engaged in a search project for what was to essentially be their Chief Information Security Officer (CISO) they would most likely be aiming to solve a technical challenge that was brought on by IT or other technical stakeholders in the organization. This was a position that almost always reported into the Chief Information Officer (CIO) and possessed a scope that was primarily focused around solving the corporate security infrastructure and data center problems; often gaping holes which still hold true today. There may have been a healthy amount of concern for the security of business applications as well as compliance, but in the end, the target was an infrastructure leader that was being asked to broaden their narrative across to the non-technical audience within the company.
By 2015, this position scope and the type of leader in the same company would have taken on a completely different feel, focus and narrative. The position would now be a technical and business leader hybrid; a Swiss-army knife with a broad arsenal of deep security skills ranging from InfoSec to AppSec to Corporate Security to Product Security, and it would require a strong understanding of working with product code and supporting developers, not to mention a sprinkling of compliance in SOC2 and/or FedRamp. This person would also need to possess the ability to drive initiatives across a global organisation, have moderate to significant experience in direct management, and perhaps possess outwardly facing executive presence to speak with other CISOs and even the press. Wow, that's a mouthful!
So, what changed in five years?
What changed this new version of a CISO role is that this is decision originated in the board room, not in the data center. The Executive team and board of directors have recognized that there are only two kinds of companies left in the world: those whose data and infrastructure have been compromised, and they know it; and those whose data and infrastructure have been compromised, and they don’t know it.
If we looked at the security world just five years ago, only a select group of companies within eCommerce, financial, and the healthcare space (plus a few government regulated environments) truly treated security leadership as a business problem. The forcing function came into play with the rapid maturing process of the cloud as a viable, scalable and secure option. The data was now instantaneous. It was everywhere, could be assessed from anywhere and was available to everyone, thus creating amazing opportunities for both product development and the bad guys. As a result, a search that was confined to a skill set based on on-premise or co-located data center infrastructure challenges turned into a fabric of holes that required solutions overnight.
The result was a drastic change in what kind of talent leadership we are seeking. As we suspected there are nowhere near the number of qualified leaders, managers, or individual contributor resources available in the market to deal with supply. The numbers of unfilled security roles are astronomical and will continue to worsen over the next decade. In search we have not seen anything like this gap before. Or have we?
Does this sound familiar to anyone else in IT, search or otherwise? In case it doesn't, here are few examples. Having focused in CIO/CTO search for 10 years, I saw a similar change around 2010 as a CIOs role morphed from a technical infrastructure and business application leadership position to a business leader and data steward. We saw a similar change with the CTO position. Both the CIO and CTO positions continue to change rapidly. How about going a bit further down the stack and looking at Infrastructure Ops transitioning into TechOps? And didn't those great IT leaders who once managed your enterprise business applications become our Cloud Apps leaders of today? I'm pretty old so I'm happy to reach back even further into the archives and bring up even more repeating themes. How about the transition from proprietary systems to open systems and client-server models? Does anyone recall DECs Star Coupler architecture, DSSI, or FDDI? If you do not know how they transformed server management you may want to read about these technologies.
In praise of the Cloud
The development of the cloud as a true business solution is one of the greatest innovations of our generation and in my opinion the largest single disruption the talent space has seen. As an executive search guy focused on disciplines like engineering, DevOps, and security I thank the cloud every day for the accelerated chaos and opportunity it has created in the talent space. Clients and candidates are often confused as to what the market will bear or how to approach their search process and approach.
With these unicorn types to security search projects, the cloud has created a need for new strategies in research, hunting, and extracting talent. We are now on full alert to provide guidance to both clients and candidates on nearly every aspect of the search process from the candidate engagement to internal client calibration, to setting the interview and feedback structure, organizing team structure, deciding on the appropriate title nomenclature and negotiating on compensation. In addition, we are now dealing with a savvy pool of Gen-X, millennial/Gen-Y candidate hybrids that often don't want to be found and have a different engagement style.
As we move from a traditionally InfoSec, AppSec, and Compliance driven position into a more Product and AppSec based leader I believe this will continue to be one of the most challenging technology leadership positions of our time. The bread crumbs are there to follow and I might suggest taking more of a historical perspective when searching for these rare security leaders.
*Purple squirrel is a term used by employment recruiters to describe a job candidate with precisely the right education, experience, and qualifications that perfectly fits a job’s multifaceted requirements.
With over 20 years of combined technology practitioner and talent management experience, Michael Piacente is responsible for leading, growing, and expanding MLG's US operation out of San Francisco. Get in touch now.